The DATU Modes and Practical Uses by Phractal [ disclaimer: unless you are a certified technician, any DATU you access is not your property and therefore is electronic trespassing into the insides of your local Central Office. Know what you're getting into. ] I. Intro, Switching Diagrams, DATU definition II. Format of DATUs III. Test Mode IV. Admin Mode V. Practical DATU uses VI. Theoretical DATU uses VII. Final Notes VIII. Technical Acronyms Well, a great many of articles have been written recently regarding the Direct Access Test Unit (DATU). A DATU is a computer that you can connect to via the PSTN, all you need is the phone number. My local Central Office uses a AT&T 5ESS switch, so I know for a fact that those switches use DATUs, I am not sure about others, like DMS switches, but chances are, your local, residential Central Office has a DATU. DATUs use the ring and tip wires a lot to test lines, the ring and tip wires are often the red and green wires that go into your phone. DATUs are tubular little wonders that allow the phone company and phreaks to preform tests on local loops. To test a line outside your Central Office's area, you need the DATU number for the Central Office that serves it. I should mention that this article discusses but is not necessarily limited to testing POTS lines. From the PSTN to your home: | \ / /------------------\ /-----------------------\ _ PSTN! __---CCITT5 Trunk--| Toll Switch |---| Local Switch / CO | |DMS 200, 250, 500 | | 5ESS, DMS 10, DMS 100 | \------------------/ \-----------------------/ / | \ | | [POTS lines] | ___|___ / \ /--------\ /--------\ |Junction| |Junction| | Box | | Box | \--------/ \--------/ /\ Split /\ Your k-rad line~~~~~~~~~}/ \ lines / \ /\ /\ /\ /\ / \ / residential lines / / / tip} /\ {ring / \ | | | | /------\ | home | \------/ The number: The format of most DATUs is xxx-9935 It is up to you to find an exchange that works, it shouldn't be too hard since most non-toll COs only serve less than 10 exchanges. If you still can't find it, the DATU could be anyplace else, or you have a different switch, but for most 9935 is the suffix for the DATU. You can try wardialing for them. You will recognize a DATU by it's weird prompt. It is a 440hz tone sounding like a low hum. The prompt is asking you to enter in the DATU password on your DTMF keypad. All passwords that I have found to work are 4 digits, the default is 1111. If it isn't the default, try pairs like 3535 or 9292, i have found some that work with pairs, as well as 4300. Then again, don't try and brute force the password, at least not from home. If the Telco notices a lot of failed DATU logins then they will contact you or they will change the password, causing a headache for all the linemen and phreaks who already know it. Use your head :) The real hardcore nerdy stuff of DATUs can be acquired by reading Phrack 52, and PPM issue 2 and 3. Therefore I'm not going to heavily explain what all the functions do inside the DATU. -Once you have the DATU, and the 440Hz tone, you will have to dial the password using DTMF tones. There are two accounts/passwords THAT I KNOW OF for each DATU. There is the normal account which is a 4 digit password, and there is an ADMIN account, which is * followed by 7 digits. Default passwords for the normal account are 1111 and 4300 Once inside the DATU using the normal account you will hear a second 440 Hz tone prompting you to enter in a seven digit phone number that is served by the switch the DATU is at. After that you should hear an OK to confirm, otherwise you did something wrong. You can perform tests on the line by using the corresponding codes: Code: Test: Fuction: 1 ---- Announces the menu over the phone 2 Audio Montior Hear SCRAMBLED traffic on the phone, can be used to test if there is activity on line or not. 33 Short to Ground Shorts the ring, tip and ground wires of your line back at the CO(red and green wires) 37 Ring Ground Shorts ground and ring wires 38 Tip Ground Shorts ground and tip wires 44 Ring/Tip High Tone Bursts a high level tone onto the Tip and Ring Wires 47 Ring High Tone Bursts a high level tone onto Ring wire, Tip grounded 48 Tip Hight Tone Bursts a high level tone onto Tip wire, Ring grounded 5 Low level Tone Bursts low level tone onto tip and ring wires 6 Open Line Cuts battery power to tip and ring, line has no electricuty from CO, rendering it unusable 7 Short Line Electricity given to tip and ring from CO 9 Permanent Signal Release Used on busy lines in older switches, refer to the DATU article by BlackAxe in PPM 2 * Hold Function Keeps current test on line active after you disconnect for a specified amount of time that you have to enter in, most of the time 10 minutes is the max, to prevent things like a line being open for a month. # New Test Disconnects you from current line, and prompts you to enter in a new number to test, like the Control-C of a DATU. ADMIN MODE: /!#@$%@#$ HI, I just want to make a point of saying that the following is info is NOT confirmed, I am writing this from my experiences using admin mode. For example, I don't know if option 3 actually has the power to delete exchanges or not, i haven't tried it, and neither should you, really. The Admin mode is entered by entering in a * followed by a seven digit passsword. I currently am un-aware of any 'defaults' for this. The options in the admin account allow you to do things that pertain more to the Central Office and how it serves the public. You cannot test local loops with the ADMIN ACCOUNT. Once you get a valid password, you should NOT hear a second 440hz tone, you should just automatically hear an 'OK'. The following codes work for the ADMIN mode: ***PLEASE IF YOU HAVE ACCESS HERE, EXPLORE WITH CARE! YOU COULD SERIOUSLY CAUSE DAMAGE TO YOU AND YOUR LOCAL NEIGHBORS SERVED BY THE LOCAL CO. I WOULD SUGGEST YOU DO NOT EVEN ATTEMPT TO CHANGE OR ACCESS ANY OPTIONS OTHER THAN TO CLEAR YOUR TRACKS(covered later). Code: Option: Fuction: 1 Set password Change the password for the normal account 2 Select Busy Task ?? 3 Read/Change Prefixes Hear exchanges served by the CO. Add or remove exchanges (BE CAREFUL!) 4 Read/Clear Timers ?? 5 Select # of digits ?? 6 Set Access Timeout Parameters ?? 7 Read/Clear Counters Clears onboard logs 8 Enable/Disable Test 9 Toggle wheather Permanent Signal Release is allowed or not to be used 0 Clear Alarm ?? ? Select Trunk ?? There are other kinds of lines and functions that you can do with the DATU computer, but I suggest you look them up in Phrack or PPM, or maybe I'll write a part 2 sometime later :) BTW, you can only use Audio Monitor, Low Level Tone, and Permanent Signal Release on a line that is busy. Practical Uses for DATUs: Busy Lines: Let's say you call a number, be a friend, or wardialing and its busy. You can use the audio montitor to test if there is actual traffic on the line, if not, then maybe the line is somesort of test line or someone left a phone off the hook. I have found audio monitor useful when trying to hack weird modern COCOTs. Let's say you know a BBS or some carrier that you want to connect to, but it's busy, like a COCOT's computer modem, you can blast a Low Level Tone to throw off the modem and have it get disconected, you can also remotely disconnect any modem from a connection if you know the number of the line. (You can only do this if the line has a ground going into thehouse, or building and not just at the CO) If there is a number you have found that is ALWAYS busy, i mean ALWAYS, try opening the line and dialing it right after the line is shorted back. I find that COCOTS almost always have grounds in them. *Most residential lines will not hear Low Level Tone, because they have no ground going into the phone. Beige Boxing in a large Telco Boxes: When beiging in a large telcobox, depending on where you are, it can be a puzzle to find the right pair to connect to the line you want to, if it is a specific line that you are looking for. You can use High Level Tone Tests to look for the pair, when you reach a pair that has a beeping you can bet its the same line you inputted into the DATU. If the line is busy, or you want to be more stealthy, you can use the low level tone, which is less likely for someone to hear unless they have a ground going into their phone, most don't nowadays. Remote Busy Box: Remember the Busy Box? You crossed the green and red wires to busy out any line. The green and red wires are tip and ring, so test code 33 can remotely turn any local line into a busy box since the tip and ring wires are shorted out at the CO. Be in mind that most likely you can only keep a line shorted for 10 minutes after you hang up, if you want longer, just keep dialing in every 10 minutes. The same goes for opening a line (shutting it off) or any tone tests. Some notes about Audio Monitor: --- The Audio Monitor feature is not a tap or eavesdropping feature, you can not understand any speech or capture any DTMF tones traveling along the line though the DATU. It is merely used to verify that there is indeed activity on a line, if the line is busy and there is no acitivy, then there could be a problem. Theoretical Uses for DATUs: Creating Phone Numbers: Have you ever dreamed of creating a phone number out of thin air, with no billable address like the Legion of Doom did back in the day? Well, the first step could be creating a new exchange to use your numbers on. Once the exchange is created, I can't really tell you where to go from there. If you find other ways of entering the switch, like thru a dialup or over some Packet Switched Network, then go for it, but be careful, respect the telco's turf, and DON'T MODIFY OTHER PEOPLE'S STUFF! Mapping Switch Hardware: I have heard some DATUs announce the switch they are attached to. This can be Final Notes: DATUs are for testing lines only, they apply certain tones and can short lines, but they are not used to add features or anything to a line. You cannot add three way calling to your line through a DATU. You cannot add Call Forwarding to you line, you cannot get ISDN or ADSL. And please test responsably. If you keep opening a line to annoy someone then the password will most likely get changed. As far as I know, if you have the dialup and password, you can access the DATU from anyplace on the PSTN, there is no confirmation that you are calling from a local number or anything, so If you are in NY, you can test lines in California providing you have the DATU k0d3z. Technical Acronyms: PSTN Public Switched Telephone Network (the global phone network) AT&T American Telephone and Telegraph ESS Electronic Switching System DMS Digital Multiplexing System CCITT Committee Consultative International Telegraph and Telephone POTS Plain Old Telephone System DTMF Dual Tone Multi Frequency PPM Phone Punx Magazine CO Central Office COCOT Customer Owned Coin Operated Telephone BBS Bulliten Board System ISDN Integrated Services Digital Network ADSL Asynchronous Digital Subscriber Line DATU You should know this... Greets: 9x, Substance, Hybrid, D4RKCYDE, Downtime, Phonerangers, Telec, Mastermind, Black Axe, Janus, linear, terror eyz, dijit, nawleed, vixen, Zylone, Pinguino, The Clone, logicbox, velocity, Venadium, Brisk, Bor, Xade :), notten, barby, bikr, tomgavin, leprekaun, dinkee, purp, vap0r, Tubular Phreak, 3rd worm, diozepart, Team Phreak, and all my other old skool conf buddiez, you know who you are ;) I also owe alot to Telec and MMX to my current understanding of the DATU computer.